Virtualmin on Ubuntu not picking up newer apache modules (was: Security policy ...)

Virtualmin
1

Hi,

I’m a bit confused about something.

I have a server running Virtualmin GPL, currently 3.76. Some of the apache2 related modules running on it are:

apache2-doc 2.2.8-11vm

apache2-mpm-prefork 2.2.8-11vm

apache2.2-common 2.2.8-11vm

which come from the Virtualmin repository for Hardy Heron.

Problem is … these modules were installed on the server several months ago and are (relatively) quite old. Normally this is not a problem, except that since the time these modules were installed …

o Apache has had one or two security releases

o Ubuntu Hardy repositories also have had some security releases for Apache.

So the apache* 2.2.8-11vm packages on my server have not been updated since these security vulnerabilities have come out.

I’ve tried updating the package information on my server, but it doesn’t find any newer apache* modules from the Virtualmin repository.

So my question is …

Is it okay to be using these apache* 2.2.8-11vm packages? Am I pulling stuff from incorrect repositories?

Is 2.2.8-11vm the latest version of these packages?

If 2.2.8-11vm is the latest, then these packages are outdated and presumably vulnerable. What is Virtualmin’s policy on security updates from upstream sources?

I hope you can clarify this. Something doesn’t feel quite right.

Thank you.

EDIT: Changing title of post to be more accurate.

2

Also, if it helps, this is my output from an update. Executing this command didn’t change my situation.

$ sudo apt-get update Hit http://software.virtualmin.com virtualmin-hardy Release.gpg Ign http://software.virtualmin.com virtualmin-hardy/main Translation-en_AU Hit http://security.ubuntu.com hardy-security Release.gpg Ign http://security.ubuntu.com hardy-security/main Translation-en_AU Ign http://security.ubuntu.com hardy-security/restricted Translation-en_AU Hit http://us.archive.ubuntu.com hardy Release.gpg Ign http://us.archive.ubuntu.com hardy/main Translation-en_AU Ign http://us.archive.ubuntu.com hardy/restricted Translation-en_AU Hit http://software.virtualmin.com virtualmin-hardy Release Ign http://security.ubuntu.com hardy-security/universe Translation-en_AU Ign http://security.ubuntu.com hardy-security/multiverse Translation-en_AU Hit http://security.ubuntu.com hardy-security Release Hit http://software.virtualmin.com virtualmin-hardy/main Packages Ign http://us.archive.ubuntu.com hardy/universe Translation-en_AU Ign http://us.archive.ubuntu.com hardy/multiverse Translation-en_AU Hit http://us.archive.ubuntu.com hardy-updates Release.gpg Ign http://us.archive.ubuntu.com hardy-updates/main Translation-en_AU Ign http://us.archive.ubuntu.com hardy-updates/restricted Translation-en_AU Ign http://us.archive.ubuntu.com hardy-updates/universe Translation-en_AU Ign http://us.archive.ubuntu.com hardy-updates/multiverse Translation-en_AU Hit http://us.archive.ubuntu.com hardy Release Hit http://security.ubuntu.com hardy-security/main Packages Hit http://us.archive.ubuntu.com hardy-updates Release Hit http://security.ubuntu.com hardy-security/restricted Packages Hit http://security.ubuntu.com hardy-security/main Sources Hit http://security.ubuntu.com hardy-security/restricted Sources Hit http://security.ubuntu.com hardy-security/universe Packages Hit http://us.archive.ubuntu.com hardy/main Packages Hit http://us.archive.ubuntu.com hardy/restricted Packages Hit http://us.archive.ubuntu.com hardy/main Sources Hit http://us.archive.ubuntu.com hardy/restricted Sources Hit http://us.archive.ubuntu.com hardy/universe Packages Hit http://security.ubuntu.com hardy-security/universe Sources Hit http://security.ubuntu.com hardy-security/multiverse Packages Hit http://security.ubuntu.com hardy-security/multiverse Sources Hit http://us.archive.ubuntu.com hardy/universe Sources Hit http://us.archive.ubuntu.com hardy/multiverse Packages Hit http://us.archive.ubuntu.com hardy/multiverse Sources Hit http://us.archive.ubuntu.com hardy-updates/main Packages Hit http://us.archive.ubuntu.com hardy-updates/restricted Packages Hit http://us.archive.ubuntu.com hardy-updates/main Sources Hit http://us.archive.ubuntu.com hardy-updates/restricted Sources Hit http://us.archive.ubuntu.com hardy-updates/universe Packages Hit http://us.archive.ubuntu.com hardy-updates/universe Sources Hit http://us.archive.ubuntu.com hardy-updates/multiverse Packages Hit http://us.archive.ubuntu.com hardy-updates/multiverse Sources Reading package lists... Done
3

Howdy,

You should be seeing version 2.2.8-12vm.ubuntu0.14 for Apache in Virtualmin’s repository.

If you aren’t – well, that’s odd :slight_smile:

I verified that the actual packages are in the repo.

After running the “apt-get update” that you ran above, if you don’t see a newer Apache when running “apt-get upgrade”, it’s possible something’s wrong with the repositories metadata, and I can talk to Joe about that.

In the meantime, while it’s a bit of a pain, you can always manually download the files from in here:

http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/binary-i386/

4

Hi,

Thank you for your very prompt response.

I’d say there’s likelier to be something wrong with my system setup so let me go have a look at that and report back.

you can always manually download the files from in here:

Thanks, but I’d rather do things the right way because there may be other packages which aren’t picked up.

Which brings me to the following questions (out of curiousity) …

Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?

How come you had to modify apache (if it’s not too long to answer)?

5

Hi,

No luck in trying to get apt-get to pick up the 2.2.8-12vm.ubuntu0.14 versions.

I’ve tried various apt-get cleans and upgrades and installs and it’s just not acknowledging any of the newer versions of the affected packages.

Here, also is the bottom of my /etc/apt/sources.list:

# deb http://archive.canonical.com/ubuntu hardy partner # deb-src http://archive.canonical.com/ubuntu hardy partner

deb http://security.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
deb http://security.ubuntu.com/ubuntu hardy-security universe
deb-src http://security.ubuntu.com/ubuntu hardy-security universe
deb http://security.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse
deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-hardy main

Can you please get someone to check the repository meta data? Or anything else you can think of that I can check?

6

Here’s something that may or may not be interesting.

Downloading the file http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/binary-i386/Packages and then doing a grep for applicable version numbers gives:

$ grep '2.2.8-.*vm' Packages | grep Version | sort | uniq Version: 2.2.8-10ubuntu0.6vm Version: 2.2.8-10vm.ubuntu0.15 Version: 2.2.8-11vm

The latest version that appears in the Packages file is 2.2.8-11vm. The version string 2.2.8-12vm.ubuntu0.14 does not appear at all.

7

Howdy,

Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?

You can see a list of all the custom modified software by browsing the Virtualmin Ubuntu repository:

http://software.virtualmin.com/gpl/ubuntu/dists/virtualmin-hardy/main/binary-i386/

8

Hi,

I’ve added a request for this here https://www.virtualmin.com/node/14130
The .deb packages are in the repo, from what I know the “Packages*” files needs to be recreated.

daniel